Author: Christopher Kim
TLP: WHITE
On 22 July, Infoblox found a malspam campaign distributing Snake Keylogger. The attachments in the emails of this campaign are Rich Text Format (RTF) files that contain an exploit of CVE-2017-11882, a well-known vulnerability in Microsoft Office Equation Editor.1
Snake Keylogger’s code has many similarities with keyloggers, such as Phoenix, 404, Cheetah, and Matiex. It is likely that these five keyloggers are derived from the same codebase.2
First discovered in November 2020,3 Snake Keylogger is a modular .NET infostealer. Threat actors can use the malware’s builder to define and configure specific features when generating new payloads. Snake Keylogger steals credential and configuration information by parsing login data from web browser databases, email clients, WiFi network configuration files, and chat clients. It can also log keyboard strokes, take screenshots, and extract information from the system clipboard.
The emails in this campaign used the subject line RE: Re: Order # 08201450. To disguise an RTF file as a Microsoft Word document, the threat actor replaces the .rtf extension with .doc. The file name of an attachment is either ORDER_LIST.doc or Order _ 08201450.doc. All emails are delivered from the same IP address via the simple mail transfer protocol (SMTP).
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://nvd.nist.gov/vuln/detail/CVE-2017-11882
- https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/
- https://twitter.com/james_inthe_box/status/1333431409847926784?lang=en
